php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69240 is_dir() warns of open_basedir restriction on non-existent directory in config
Submitted: 2015-03-15 10:01 UTC Modified: 2021-05-30 04:22 UTC
Votes:4
Avg. Score:4.5 ± 0.5
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (25.0%)
From: andrea dot cristaudo at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Safe Mode/open_basedir
PHP Version: 5.5.22 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2015-03-15 10:01 UTC] andrea dot cristaudo at gmail dot com 
Description:
------------
If open_basedir is active, file_exists(), as well as is_dir() and 
is_file(), throw an open_basedir warning if you check a directory mentioned in the open_basedir configuration if that directory is non-existent.

Same result on v5.5.9 and v.5.3.3 that I've tested on.

Somehow related to https://bugs.php.net/bug.php?id=41518 and https://bugs.php.net/bug.php?id=24313

Test script:
---------------
#php -d open_basedir=/tmp -r 'var_dump(is_dir("/tmp"));'

#php -d open_basedir=/tmp2 -r 'var_dump(is_dir("/tmp2"));'

Expected result:
----------------
bool(true)

bool(false)

Actual result:
--------------
bool(true)

PHP Warning:  is_dir(): open_basedir restriction in effect. File(/tmp2) is not within the allowed path(s): (/tmp2) in Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. is_dir() Command line code:1
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-16 07:53 UTC] fa@php.net
-Status: Open +Status: Verified
 [2015-03-16 07:53 UTC] fa@php.net 
Verified on 5.5.24-dev

Output on 5.6.4 is
bool(true)
bool(fals)
 [2015-05-19 11:03 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2015-05-19 11:03 UTC] cmb@php.net 
Related to bug #52065.
 [2015-05-31 18:51 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2015-10-09 15:45 UTC] ben at indietorrent dot org 
I should note also that the \ErrorException's error message is invalid, too, in that the message is illogical and contradictory.

Here is an example:

is_dir(): open_basedir restriction in effect. File(/srv/www/example.com/web) is not within the allowed path(s): (/srv/www/example.com/web)

My point is that the referenced file (which is in fact a directory, but that's beside the point) is indeed present in the allow path(s) list.

It bears mention that this contradictory message seems to be a product of this bug. In other words, the contradictory message occurs only when the directory in question does not exist on the filesystem.
 [2016-08-06 16:02 UTC] ben at indietorrent dot org 
A follow-up to my previous comment.

I'm not sure if or when the exact message was changed, but having encountered this more recently (in PHP 7), the \ErrorException message is in fact correct in that it notes (too subtly, in my opinion) that the *File* is not within the allowed paths.

Maybe I had simply overlooked this most important distinction in the error message: the message is referring to a *file*, not a *directory*.

Let's look at a clearer example of this problem. This is triggered in Symfony:

----
ErrorException in ExecutableFinder.php line 63:
is_executable(): open_basedir restriction in effect. File(/usr/share/php) is not within the allowed path(s): (/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/usr/local/zend/var/zray/extensions:/usr/local/zend/share:/usr/local/zend/var/plugins)

is_dir(): open_basedir restriction in effect. File(/srv/www/example.com/web) is not within the allowed path(s): (/srv/www/example.com/web)
----

What is actually happening here is that Symfony is poking-around for PHP executable locations and calls `is_executable(/usr/share/php)`.

The reason for which the message is so confusing (in my opinion) is that the file for which Symfony is looking, `/usr/share/php`, actually points to a *directory* on many systems, such as Debian/Ubuntu GNU/Linux. Until I studied the message more carefully, I thought, "This is so strange... the very directory for which PHP is looking is the first one listed in the open_basedir directive!"

I suppose the important question is whether or not the \ErrorException message changes when I call is_dir('/usr/share/php') or scandir('/usr/share/php'). I will test this soon.

If not, then the message is ambiguous, and the underlying logic should really be reworked to make clear whether PHP is attempting to access a file or a directory. One might argue that there is no meaningful distinction between a file and a directory where the underlying mechanisms are concerned, but if that is true, the message is then invalid.
 [2021-05-20 13:23 UTC] cmb@php.net
-Status: Verified +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-05-20 13:23 UTC] cmb@php.net 
Why would you want to specify a non existent directory as
open_basedir in the first place?
 [2021-05-30 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Nov 05 04:01:30 2024 UTC